Hacker News new | comments | show | ask | jobs | submit login

drew from dropbox here. i hope you guys can give us the benefit of the doubt: when something pops up that encourages people to turn dropbox into the next rapidshare or equivalent (the title on HN was suggesting it could be the successor to torrents), you can imagine how that could ruin the service for everyone -- illegal file sharing has never been permitted and we take great pains to keep it off of dropbox. the internet graveyard is filled with services that didn't take this approach.

so, when something like this gets called to our attention, we have to do something about it. note that this isn't even by choice -- if we don't take action, then we look like we are tacitly encouraging it. the point is not to censor or "kill" it (which is obviously impossible and would be idiotic for us to try to do), but we sent kindly worded emails to the author and other people who posted it to take it down for the good of the community so that we don't encourage an army of pirates to flock to dropbox, and they voluntarily did so.

there were no legal threats or any other shenanigans to the author or people hosting -- we just want to spend all our time building a great product and not on cat-and-mouse games with people who try to turn dropbox into an illegal file sharing service against our wishes. (for what it's worth, dropship doesn't even work anymore -- we've fixed the deduplication behavior serverside to prevent "injection" of files you don't actually have, for a variety of reasons.)

that said, when we disabled public sharing of that file by hash, it auto-generated an email saying we had received a DMCA takedown notice to the OP, which was incorrect and not what we intended to do, so i apologize to dan that this happened.

(*edited the last paragraph: we didn't send a takedown notice, we sent a note saying that we received a DMCA takedown notice, which was also in error)

> illegal file sharing has never been permitted and we take great pains to keep it off of dropbox.

Which is great, except you are punishing the crime, before it even occurred. Remember use of torrents are not illegal per se, sharing files which you do not copyright of, and piracy is.

> there were no legal threats or any other shenanigans to the author or people hosting. (EDIT - No applicable. Read Drew's edit.)

DMCA takedown notice is a legal threat. Worse part is, its not even valid, IANAL, but do you own the copyright of the data or the copyright owner approached you to issue a DMCA takedown notice?

> it auto-generated a DMCA takedown notice to the OP, which as many pointed out here was invalid and particularly inappropriate in this case, and was absolutely not what we intended to do.

Please do not send legal notices, without lawyers reviewing them?

> Which is great, except you are punishing the crime, before it even occurred.

No, they aren't. They're enforcing the terms of use that Dropbox users agreed to when signing up.

I don't think asking folks to take stuff down was the correct solution...I think fixing the bug was the right solution, which they've also done. But, I don't see how Dropbox is "punishing" anyone, when they're just asking people to use the service as it is intended.

It's clearly a violation of ToS to use Dropship, however, it's less clear whether it's a violation to store code that has the potential to violate the ToS.

Presumably if someone has reverse engineered Dropship¹ then we're not far off having an FOSS Dropbox-a-like to use it with? I'd have thought that is the problem Dropbox is most likely to be addressing?

Run your own organisation-wide Dropbox? Yes please.

Edit: ¹ I mean of course created Dropship by reverese engineering Dropbox's protocols.

> Presumably if someone has reverse engineered Dropship¹ then we're not far off having an FOSS Dropbox-a-like to use it with?

That's a pretty big stretch. You believe the client-side code to trigger download of a file that doesn't exist on the system is "not far off from having an FOSS Dropbox-a-like"? That's like finding a hub cap in the woods, and deciding you've almost got all the parts needed to construct a car.

I don't believe Dropbox is using any techniques that are secret; I believe anyone with the know-how, and time, and inclination, could use publicly available algorithms to replicate everything Dropbox has done. The "secret sauce" is not the protocol. There are a number of protocols for doing versioned filed storage (WebDAV, for instance) and a number of protocols for transferring only the parts of files which have changed (rsync, for instance). The hard part is in putting them all together, not in any magic to be found in a few lines of code.

I highly doubt this is all a conspiracy to prevent people from building a FOSS "Dropbox-a-like". People can already do that, without needing any Dropbox magic. Oddly enough, no one has. I reckon it's because it's really hard to put all those pieces together in a way that works easily for end users. Highly technical users have had these kinds of capabilities for years in the form of version control systems, rsync, etc. Open Source developers have solved the hard algorithmic problems already (and Dropbox is standing on their shoulders). What Dropbox did is make it accessible and usable by anyone.

Do people really need any explanation other than, "Somebody made a mistake and sent out the wrong email"? They don't strike me as being particularly evil guys when I've met some of them, and while they aren't bastions of Open Source generosity as far as I know, they also never seemed to be anti-Open Source, to me.

>The "secret sauce" is not the protocol.


>People can already do that, without needing any Dropbox magic. Oddly enough, no one has. I reckon it's because it's really hard to put all those pieces together in a way that works easily for end users.

These two sentences are contradictory. The magic clearly doesn't lie in the protocol per se or the specific idea but in the implementation. Having a client that emulates Dropbox _seems_ to be the hard bit strange as that may sound.

I have used the web interface, but the client is generally the only point of contact I have if I have a new client that does exactly the same and that client can be switched to a new server my experience will be >99% unchanged and, in my scenario, the effectiveness will be the same.

If I can switch service without noticing any change in interaction (dropbox just sits there after all) and in fact can use the same client with either dropbox itself or a different server then it seems like a bad thing for dropbox.

iFolder seems to me very much like an open source Dropbox replacement.

Sadly, the server only runs on Linux, but to me this contradicts the assertion that an OSS Dropbox-like software has never been developed.

>...Run your own organisation-wide Dropbox? Yes please.


this is how Dropbox should pursue an enterprise offering, selling a Dropbox Server as a VM, a set of client licenses and instructions on how to run an internal dropbox server.

With encryption. With additional security features...

Yes, now that the bug is fixed I would have liked looking at the source code of Dropship just to see how it worked... So it's a pity that they asked people to take it down.

According to several other comments the source code is still quite widely available.

Yeah, I agree to enforcing the violation of ToS. I was writing for the DMCA take down notice for the possibility of illegal file sharing via dropship. (as mentioned by arash/drew in comments.)

I am actually curious to know what ToS were violated (based on which Dropbox decided to take the action), except that I have not read about the real reason on either the Original Article or the discussion on HN.

Can Drew/Arash clarify what Terms were being violated actually by dropship?

> Can Drew/Arash clarify what Terms were being violated actually by dropship?


Access, tamper with, or use non-public areas of the Site (including but not limited to user folders not designated as 'public' or that you have not been given permission to access), Dropbox's computer systems, or the technical delivery systems of Dropbox's providers;

Attempt to access or search the Site, Content, Files or Services with any engine, software, tool, agent, device or mechanism other than the software and/or search agents provided by Dropbox or other generally available third-party web browsers (such as Microsoft Internet Explorer or Mozilla Firefox), including but not limited to browser automation tools;

yes, but that has nothing to do with having the code, as I said in a port below... using it would be a violation, but why block open source code.

Even I am struggling to understand how exactly did this violate ToS? Was it "illegal code/file"? No! It was a file to a s/w that had the potential to be used maliciously, but the file uploaded itself wasn't, but hadn't really manifested in that form (yet). I feel asking the dev to take down the Github project is ok, but blocking/restricting access to the file itself, until proven malicious was a bad idea. And if that part about taking down the HN is true, its a dick move. Yes, its their platform and from an ethical stand point, being proactive this way helps everyone, but it could have been handled better.

To my understanding (after several downvotes, and few uncalled-for language), it is simple.

1. Dropship violated Dropbox ToS, by reverse-engineering Dropbox proprietary code.

Thats all.

Nothing to do with DMCA notice, which was sent by accident.

Agree the Dropship s/w itself was in some violation of the ToS, but was the file that was uploaded to the public dropbox share in violation? What I am trying to separate here is, how could Dropbox the company "determine" the uploaded file indeed was the Dropship s/w? [I know in this case it was obvious as the dev had probably linked to it]. I am trying to pose a question to a different level, where how can/will dropbox scrutinize each uploaded file in this manner without actually receiving a DMCA from a third person?

Furthermore, even if the file contains code that could be used to the violate the ToS, that doesn't mean the user actually has violated the ToS.

And Dropbox hasn't done anything to any users of the code, as far as I know. What do you think Dropbox is doing to people who poke at the code or use it?

Arash's comment on the article:

"This is Arash from Dropbox. We removed the project source code from the user’s Dropbox because it enables communications with our servers in a manner that is a violation of our Terms of Service. By our TOS, we reserve the right to terminate the account of users in this case. However, we chose to remove access to the file instead of terminating the account of the user."

I'm questioning whether possessing the file without using it against Dropbox is actually a TOS violation.

Hmmm...so, yeah, that's problematic.

They definitely should have just fixed the bug. Deleting peoples files feels kinda nasty.

Are those ToS legal?

we have a variety of easy-to-use sharing mechanisms (public links, shared folders, etc.) that people have been using for a long time for legitimate uses.

to be clear, we _never issued_ any DMCA takedowns to anyone -- the OP incorrectly received a bizarrely-worded email from us saying we had received a takedown notice from ourselves (no such notice ever existed) for which we've apologized.

> to be clear, we _never issued_ any DMCA takedowns to anyone

Thanks. Already updated in the comment.

>"to be clear, we _never issued_ any DMCA takedowns to anyone"

That's just disingenuous legalistic manoeuvring though isn't it. You claimed that you had issued a notice, to yourselves, and it was outside of the email recipients ability (without issuing an injunction - or whatever the process is in your jurisdiction) to confirm your claim. They took your word on it.

So fraud or a DMCA.

But no you say it was just "a mistake".

Forgive my cynicism but this is standard fare for the legal departments of big business, using the law to bully people who financially can't afford to protect themselves against false claims.

No, if I understand Drew's statement correctly:

They have a system they use for IP enforcement that bans based on file hash. They used this system to ban the files.

A side effect of this system is that it sends a DMCA notice to anyone who has a copy of that file hash (because that has always been what it was used for before). I'm guessing inside the hash-ban tool there is a field "owner" or something, which they filled in as "Dropbox" and is used as the source of the DMCA notice.

I don't think there is any conspiracy here. Never ascribe to malice what can be ascribed to incompetence. I's pretty harsh to call Dropbox incompetence, but given how it would make sense for their system to work, I think a mistake is a fair description.

I don't think cynicism is justifiable here. Let's use Occam's Razor:

1. Dropbox staff hand-crafted oddly-worded DMCA takedown notices and purposefully sent those to specific individuals after having already sent them polite requests to remove certain content;

2. Dropbox staff hand-crafted oddly-worded DMCA takedown notices at some point in the past as part of an automated system, which fired incorrectly when staff removed content.

To me, #2 makes a lot more sense, and is the simpler (and in this analysis, the more likely) case.

To be clear, Dropbox isn't wording any takedown notices. These are just automated e-mails saying that content is being removed because Dropbox itself received a takedown notice from a third-party and that they are complying.

Actually, you are misrepresenting the issue here from what I understand.

No notice was sent to anyone. What the e-mail that was sent claimed was that Dropbox had received a DMCA takedown notice from a third-party and that's why the file was taken down. However, that was just an automated response to any file being taken down using whatever mechanism they had in place.

I'm not sure where the "law" is being used to bully people who can't afford it in this case.

If you mean that I, pbhjpbhj, am misrepresenting then please read the quote and first line again.

My point was that whilst they were not issuing a notice they were claiming a notice had been issued and as Dropbox were the claimed issuer and receiver of said [non-existent] notice that without legal action the recipient of the claim could not confirm. For all intents and purposes the recipient of the claim is in the same position as if a notice has been issued.

I thought I'd made it clear enough. I did not once, knowingly, claim that an actual DMCA notice had been issued - hence the contentious suggestion of fraud (in claiming they had received a DMCA when they hadn't and using that claim as rationale to remove [the link to] the files from their clients account).

>I'm not sure where the "law" is being used to bully people who can't afford it in this case.

It goes something like this:

'Oh, I'm sorry Mr Nongrata I've got to take down your perfectly legal website because we got issued with a DMCA; why yes of course you can challenge that [big fat lie], mount a court case against the issuer. What's that you don't have $100k to spend getting it to court, oh too bad. Muahahahaha'.

In any case, it doesn't matter if the Dropbox team are nice guys it matters if the people behind Sequoia Capital et al. are the sort to use a legal threat to protect their millions of pounds of investment.

>DMCA takedown notice is a legal threat.

I think Drew was mistaken when he called it a "takedown notice". That term has a specific meaning, and judging from the linked article, what DropBox actually sent to the OP was not a takedown notice. Instead, it was just a message saying that DropBox had received such a notice from a third party and consequently disabled access to the allegedly infringing file.

correct -- fixed this distinction in my reply, thanks

Which is great, except you are punishing the crime, before it even occurred.

This is pretty disingenuous. You really think their assumption that Dropship would quickly turn Dropbox into an illegal file sharing haven is an unrealistic grasping of straws?

As mentioned before, IANAL, and I do not have deep/any knowledge of the laws Dropbox is incorporated in. However, "Presumption of Innocence" (http://en.wikipedia.org/wiki/Presumption_of_innocence) aka "Innocent until proven guilty" is one of the universally applied (if not, also accepted), legal concept.

Can dropship be used for illegal file sharing? Yes.

Is dropship being used for illegal file sharing? No, until proven otherwise.

Legal penalties are applied for the cases depending upon what happens/happened, not what could happen.

That being said, my understanding of law is deeply based on my country's law. The case might be different in the country dropbox is incorporated.

EDIT - I got a lot of downvotes for this reply. Can someone (who intend to downvote this comment), please explain where I am missing the point and/or being wrong?

I downvoted you because you are discussing DropBox as though it is a public utility that you have a right to, and some form of due process needs to take place. In my mind, you are completely and absolutely missing the point.

DropBox is a private company, whose behavior should be viewed based on what their ToS are, and how they stick to them.

They don't have to prove anything - if one is engaging in behavior, or taking action that jeopardizes Drop Box as a service, or as a company, something they have worked really, really hard for, their rational response is to shut down the person engaging in that behavior.

What DropBox is saying is that regardless of whether you think they should become the next RapidShare, or BitTorrent - that's not a business they are interested in - regardless of whether you think you might have some excuse as to why your behavior hasn't proven to be illegal file sharing.

These are not legal penalties. This is not about the Law. Drop Box is not the government. They do have the right to refuse service, and, in fact, to shut down uses of their service that they are not comfortable with.

I think another reason why you are getting down voted is that a lot of the people on YC have worked really, really, really hard to build these types of services, and get frustrated when people fundamentally don't get it.

I understand your point, and it certainly ok for DropBox to defend its ToS. But behind this story, seeing how fast they reacted to a single json hack in their model, it shows that DropBox is currently fighting a lot against a strong trend, and moreover against their own users, which is not a good sign for them. Fear is a bad advisor.

Not sure I agree. What indication do you have that this is a "strong trend" or that a significant number of users want this feature? Maybe they see that a small number of users would have a disproportionate impact on their service.

Not supporting something that a small number of users want if it would make the service worse for other users is the sort of decision every web service makes every day. Why isn't this just another case of that?

Presumption of Innocence is only valid when being held or otherwise detained due to suspicion of guilt by the government, at least in the USA.

Dropbox is a private service, and any notices stating that users cannot sync certain files when they use their product under penalty of removal of their account can be enforced, just like any brick and mortar store can enforce a "no shoes, no shirt, no service" policy and refuse to give service to anyone they please, even for trivial matters like whether or not the patron/user is wearing clean socks.

Sure, they have legal rights to do so. However, just because it is legal it does not make it fair (Ref - Sony vs. Geohotz).

Punishing for the suspicion of crime, rather than actual crime, just because you are can get away with it, is evilish and not nice. I expect better from Dropbox, we all know and love.

Where suspicion approaches certainty, evil-ish approaches perfectly understandable and rational.

The Internet IS being used for illegal file sharing. Should we take it down? No! Classic baby/bathwater.

I think the comparisons are not correct. Dropbox is a privately held entity and the founders have every right to enforce the ToS and to compare that against Internet itself is not right.

Your logic sounds consistent with plenty of established principles.

But keep in mind the US part of the internet is by and large a collection of privately held entities. By your logic, it's completely reasonable for Sen. Lieberman's to place calls to Amazon to suggest websites and services they might want to review for ToS violations and take them down.

It cuts both ways dude. One day Dropbox, your ISP, whoever could decide that they don't like something you wrote (in code or in opinion) and "happyfeet" is then in violation of their ToS.

In fact, Dropbox is probably reading your comments in this thread right now. They might just decide your files are in need of review.

There's a pretty easy solution if that happens. Host your files somewhere else. Your use of Dropbox (and their decision to allow you to use their service) is on a purely voluntary, at-will basis.

That's not how the presumption of innocence works. I say that as someone who has practiced both civil and criminal law. Presumption of innocence only applies to crimes. Copyright violations are not crimes, they are civil torts. (Though some actions incident to copyright violations, i.e., circumventing DRM, can be crimes.)

Can dropshiip be used for illegal fire sharing? YES, in fact, that was the suggested and intended use. Under American case law, which governs Dropbox, that alone is enough to constitute a DMCA violation (see, e.g. Napster, Kazaa, and succeeding cases).

Dropbox took dropship down to prevent future legal issues. Since it's their service, they don't have to wait until they occur actual legal liability to act.

Thanks, It was helpful information. As said before IANAL.

That being said, I realize Dropbox(or Corporate entities in general) is not government and/or legal system and it is not required of them to follow laws, which are applicable for governments.

However, Laws are legal representation of morals/ethics, which are applicable for every entity in the society, for its effective operation.

While the law is codified as Presumption of Innocence, its underlying sentiment, from moral point-of-view, Judge/punish based on definitive actions not speculations, are applicable for all entities of the society.

"Thanks, It was helpful information. As said before IANAL."

Not only are you not a lawyer, but you are also struggling with some basic concepts regarding the implementation of laws.

Laws, implemented as statutes, have no association with, or bearing on, morals which are purely a cultural phenomena.

I understand that you disagree with how Dropbox went about protecting themselves from civil liability, however the violated no laws by their actions.

> I understand that you disagree with how Dropbox went about protecting themselves from civil liability.

I absolutely do not disagree with how Dropbox went about protecting themselves. What I disagree with is, trying to claim a tool or technology can be anti-law, rather than its usage.

All pieces of technology, from Atom energy to Internet, can be used for both wonderfully good or evil. What I am trying to say is, Laws are (should be) applied how a technology is used, not what technology is used.

That being said, I am not trying to defend or endorse dropship's reverse-engineering of Dropbox's proprietary code, and hence infringing the ToS. It certainly looks illegal.

> however the violated no laws by their actions.

Never disagreed.

Are laws purely a cultural phenomenon? Do laws have no association with morals? Your sentiments sound more like the product of an ideology and less like conclusions based on an anthropological, historical, philosophical, or any sort of open-minded inquiry into culture, societies, and human nature.

Additionally, you're conflating society, which is comprised of a group of people, with culture, which is a product of a group of people that aren't necessarily members of the same society.

I wasn't conflating society and culture. American society, the group of people who are citizens of the United States of America, is a superset of the Christian culture.

Christian culture defines a moral code by which they measure themselves. That culture is present in many societies and can influence (or not) the societal debate on governance (witness the current California constitutional ban on Gay Marriage as an example).

That leads to people who are culturally opposed to laws enacted by the society in which they happen to live.

Laws are enacted by the constituents of a nation-state as a means of defining roles, rights, and remedies. The process by which they are proposed, debated, and enacted is internally consistent but varies between governing bodies.

You're wrong. You're not even wrong, to be more precise. Your comments are filled with inconsistent use of terminology and drift between discussions of individual people, cultures (semi-coherent bodies of artistic, intellectual, and artistic achievement), and societies (aggregates of people who more or less share a culture, physical space, and institutions).

If you re-phrase whatever point you were trying to make by consistently using words with meanings we can agree on, then maybe we'll have something to disagree about.

I'll just chime in to post another point that was missed here. Arguably the most important (and controversial) principle in American jurisprudence is the freedom to enter into contracts. Dropbox has terms of service to which you manifest assent either directly (by clicking "I agree") or by your actions (that is, just by using the service). I'd venture to guess that in their terms of service is some provision that gives them the basis to remove accounts at any time, for any reason.

Courts have upheld these terms of service/use agreements in many cases; just googling ProCD v. Zeidenberg will give you more information, if you're interested.

Not every law has a universal jurisdiction and applies to every possible party.

For example, the government has no right to privacy whilst we as individuals do.

It's biased to say that torrents and rapidshare are equivalent to illegal file sharing. Illegal file sharing is just how people use these platforms, but not these platforms themselves. Dropbox is just another file sharing platform which directly exposes to the threat of illegal file sharing.

The de-duplication feature greatly helps pirates to gain access to files that don't belong to them, or even other people's privacy. If illegal file sharing service is something against your wishes, what you can do is to concentrate your effort to fight against copyright infringement (if you'd like to), instead of killing an innocent open source project that simply helps cross-account file sharing.

I used to love Dropbox's de-duplication feature, and I think that helps a lot of people with low bandwidth connections. Since I started noticing the existence of such feature, I'm already aware of:

1. My files are no longer mine. Anyone who knows the hash can access my files immediately.

2. Dropbox's claims about encryption are totally pointless in this case. Encryption is not going to help.

3. Requests from government agencies are going to be fulfilled very promptly.

4. Even hackers can access my files with the knowledge of only the hash, why can't employees of Dropbox?

I don't understand the "strict access policy" on employees inside Dropbox. Are there any difference between Dropbox's de-duplication and eDonkey's hash-to-file P2P?

To me, Dropbox is doing something here that against their wishes.

(Well) encrypted data is fundamentally indistinguishable from random data.

De-duplication requires commonality between files, which could not be found in encrypted data if users had unique keys.

Thus, if they have the ability to de-dupe _after_ you've uploaded a copy, they have the ability to decrypt your entire archive.

I'm not saying that's how they do it, but it would seem the logic is that your data never was particularly well encrypted.

Help me, I'm trying to get my head around this.

You developed a file sharing system that allows anyone to obtain the full contents of a file by simply knowing its hash?

Then when developers make tools to allow using this for simple cross-account file transfer you send DMCA takedown notices, claiming you are the rightful copyright holder of their code, to places like GitHub?

You seem to equate other file transfer services with "illegal file sharing".

Did you ever consider the possibility that someone could steal the contents of another person's file by knowing the hash of it? Sometimes hashes are public info and the file contents are not.

Or am I not understanding what just happened here?

No DMCA takedown requests were sent to GitHub. We simply nicely asked the author of Dropship to take down the link and he fully understood our position and took the code down.

The only erroneous use of DMCA was when we attempted to take down the link on Dropbox, which was an entirely honest mistake.

"He requested that I not only remove the archive from Dropbox but delete my posts on Hacker News, which at that point included the fake DMCA takedown."

What you tried to do there is censor and resorted to fake legal repercussions. You can brush it aside saying that it was a mistake but it is still uncool for a corporation to do that to an individual.

I see. So the comment on the razorfast.com site:

I forked Dropship, just in case, and my GitHub repo of it was deleted. I was not notified of this. NOT happy with DropBox, and ESPECIALLY not happy with GitHub.

Is perhaps not accurate then.

Since the original dropship repo mentioned on razorfast is still available (and has a pull request waiting), and the comment didn't really contain any context, I wouldn't give it much weight yet.

I'm pretty sure sending fake DMCA requests is illegal, and it doesn't matter if it's a mistake.

It's illegal only if it was intentional. A mistakenly sent DMCA request is okay, as long as the sender follows up with a disregard notice.

but what he's saying is he sent a notice of a DMCA takedown, not an actual takedown request.

Was it?

There were no takedown requests. The whole discussion is moot.

Asking people to remove stuff from HN? That's utter bullshit, and if true, I'm basically done with Dropbox. Asking people not to talk about something (with access to your service as the gun to their heads) is not something I will tolerate in someone I do business with.

I don't actually use Dropbox for anything, though, so perhaps my thoughts don't matter.

You're done using something you don't use because they _asked_ someone to do something (rather than taking the industry standard approach of getting lawyers involved)?

What would they be able to do with their lawyers? There is no case.

Harassing people can be pretty effective. (I'd say "ask Sony", but they might have actually won.)

we've fixed the deduplication behavior serverside to prevent "injection" of files you don't actually have, for a variety of reasons

I think this was a good call, and not just for the piracy issues but for the substantial information disclosure and possible misappropriation of sensitive documents that it could have facilitated. This is something that's been on my radar for some months, and frankly seemed like a significant reason to not trust dropbox with anything that wasn't effectively public.

So I'd consider the event a net positive for your firm and customers. I might consider trying to get out in front of any negative publicity that's going on here by publicly thanking the programmers and researchers that have brought these risks to light in the past month paying a few bug bounties to them. A few bounties similar in size to the ones the mozilla and chromium projects pay out certainly wouldn't break the bank, and might do something for public opinion. Not to mention the benefits of an ongoing program - people might be more inclined to contact you first instead of immediately going public with future issues.

> ... the substantial information disclosure and possible misappropriation of sensitive documents that it could have facilitated

They match duplicate files with an SHA256 sum and size in bytes. With those two factors, the probability of a collision is incredibly tiny and impossible to exploit usefully. If you tried a trillion combinations you might find a useless file, but by then you would be detected and banned from Dropbox.

I agree that random collisions is an unlikely attack vector. However, there is not a general understanding that disclosing sha256 hashes is the same as disclosing the file. Imagine a social engineering attack that requested employees run a 'sha256sum ~/Documents/* > hashes.txt' and mail the results with the explanation that this is to make sure they have no infected documents/old versions/unauthorized files on their hard drives. Many people would be willing to do something like that if it appeared to be from a legitimate source, but if they had been asked to email all their documents they'd be much more unlikely to comply.

Hashes are also disclosed in other ways. In certain cases security researchers will reveal a hash of a file publicly to provide proof of a file that might contain a proof of concept exploit against a privately disclosed bug - with the idea that the contents of the file could be revealed at a later date. If someone the researcher shared that file with privately placed it on dropbox, that file could be revealed publicly.

Online AV systems could be another form of disclosure. Many "online scan" products report the hashes of local files back to the server for malware detection - it is faster to upload your hashes than download the hashes of the many millions of signatures a product can scan for.

Another version of this is virustotal.com or similar services that will scan a submitted file against a large number of AV products. The resultant scans include the sha256 hash and are often publicly accessible, while the contents of the file isn't. In the days after several recent Adobe flash 0-days, virustotal reports on infected documents were reported publicly days before the bug was fixed or the actual exploit was publicly revealed. Here is one such example for CVE-2011-0611 submitted on 4/9/2011, made public on 4/11/2011 but no patch was available until 4/15/2011: http://www.virustotal.com/file-scan/report.html?id=1e677420d...

Granted, all of these presume that sensitive files are being placed on dropbox when they probably shouldn't be. But these things do happen.

As far as information disclosure, someone who has a legitimate copy of a file could then use the hash to determine if the file is being leaked off site or distributed inappropriately. This may be seen as a feature to some document owners, but it could serve to detect exfiltration that one might otherwise agree with. Whistle blowers come to mind. If you suspected a leak, one might provide slightly different copies of a sensitive document to a group of employees and see if any of the hashes appeared on dropbox after admonishing them to not allow the file to leave the enterprise.

I understand that many of these concerns could be dismissed with well, they already have bad document handling procedures, etc. Which would be valid, however in the real world a lot of poor behavior goes on. I'm just listing these as examples of the kind of problems that could arise, I'm not trying to take a stand on how likely any of the attacks might be.

It would still allow collision attacks though. There are probably a lot of legal and medical documents (recipes) that only differ in a few words, such as name and date of birth. By trying a bunch of combinations you can test if those documents exist.

The collision attacks outlined above still work, with a regular dropbox account, no dropship needed. You can create 100,000 attack files, and then upload each one. The ones that don't actually transmit bytes show you that the file exists. (EG a highly regular file like some health or banking record...) Its just watching if de-duplication happens or not.

They need to patch that hole, I think by requiring everything to upload, then deduplicate on the server...

Which is another way of saying what speleding points out.

> we've fixed the deduplication behavior serverside

Great, and that's all you should've done in this case.

> Great, and that's all you should've done in this case

I doubt that is what the lawyers said.

Then they should fire the lawyer who a-OKed to send the invalid DMCA takedown notice(s), which makes Dropbox culpable for it.

Correction: They should fire the automated script which sent the email.

I vote fire the guy who used the automated script which sent the email.

How about not firing anybody and just get back to work?

"when we disabled public sharing of that file by hash"

Sorry, I may sound harsh, it's not my intention, but I have to ask: how often does it happen that you disable public sharing of files you don't like?

From what I understand about Dropbox's anti-piracy system, he's talking about what they do when, say, someone posts a public link to "Spiderman.3.DVDRip.avi" in a forum in China. This obvious and illegal use of Dropbox is a big liability, not to mention source of traffic.

I appreciate the nice-guy approach here, but there remains two problems with it: relying on the goodwill of internet strangers not to abuse the service and exposing Dropbox to false DMCA takedown liability. "Under penalty of perjury," I think the clause goes. That auto-takedown workflow might need a little revision, but I'm sure you already realize this.

Out of interest, how do you plan to stop people using dropbox like rapidshare? It would be easy for one to upload a file divided into multiple rar files and distribute them to different dropbox accounts. The only way you would be able to block this is watching for a large amount of downloads of a particular file and finding out the context of the file which may prove impossible (and possibly illegal).

In terms of the software, it is unlikely that the general user will use it without some technical skill.

Dropbox already has provisions for restricting those accounts which use an excessive amount of bandwidth. They'd be able to block those files without needing to know the actual contents.

If I wanted to be a complete ass about using dropbox for piracy, I'd use GPG.

Share the GPG private key, the public key, the archive, and the password to use the key. It's too computationally expensive to automate opening these. And you could always spread the keys and keyphrase to where ever you want it.

But dropbox works well for what it is. I see no reason to trash it with pirated stuff.

If dropbox opened the archives (to check) then it would be against the British data protection laws (and probably most other countries) if they were not given the access by the owners.

I have no want or need to trash it with pirated material either.

Even in the US, it might be illegal under the ECPA.

DMCA notices are no joke, especially for the receiver.

Your 'automated' system should probably be either:

a) manual

b) have a big ass 'THIS F-ING SENDS A DMCA NOTICE' warning before you disable a file.

Yes, in an ideal world their system would only ever store and forward a received DMCA notice.

But here in the real world Dropbox doesn't really give a shit whether they actually got a real DMCA notice from Sony regarding the presence of "Spiderman.3.DVDRip.avi" in a particular 13-year-old's public folder — since none of those accounts are paid, they're just saving themselves money, and noone would discover it normally or have a reason to be pissed off at them. They can't even get in trouble for perjury since they were never sending DMCA notices to users, but rather telling users that Dropbox had received a notice.

That was such a classy response. Well done Dropbox - I don't want you become rapidshare either.

Hey Drew, Alex from JDownloader (an OS project with over 15M activeusers, btw) here.

>>"when something pops up that encourages people to turn dropbox into the next rapidshare or equivalent, you can imagine how that could ruin the service for everyone"

You don't want to be the next Rapidshare. I encourage you to overthink this.

They're your competitor.

Sure, if with Rapidshare you mean "illegal file sharing service", which I assume you do, because you use it in one sentence with Torrents, you might be right. Although Rapidshare hasn't hit the deadpool yet and is still around and strong and in compliance with current law etc. But if you mean the highly profitable business of sharing (legal) files, you should think again. They offer the same thing you offer in a way. Cloud storage + backups on a very similar freemium business model. Only for larger files. For some use cases your product might be exorbitantly better (automatically syncing files on a harddrive and not just having it in a filesystem in the cloud like RS), in some ways Rapidshare's product is a lot better though(e.g. sharing larger files with multiple people). But the nature of Rapidshare's product of course comes with a few strings attached. Since the incarnation of filehosting there have been people who try to exploit it for illegal purposes. Rapidshare obviously doesn't have the cleanest image, yet, they comply with the DMCA and offer an incredibly valuable product.

And, most importantly: Rapidshare (as well as the majority of one-click-hosters) learned about the Streisand-Effect (see http://en.wikipedia.org/wiki/Streisand_effect) early and did not as aggressively about things like this the way you did. Of course our and your situation is different, yet there are a few similarities you could have learned from.

This time you have successfully dodged the bullet and made a good strategic move, but I sincerly hope you have also learned sth. from this for the next time, because with user base that is still growing like crazy the next time WILL come. And next time it might hit mainstream media even bigger and not only be on HN and Techmeme.

BTW: I can of course understand that you try to fight piracy as good as you can in order to protect the brand as well as the company from expensive lawsuits and their even more hurtful consequences. It's just the way in which you handled things. You should have known better. The Streisand effect has happened to so much companies already. But congrats on handling the situation so well after seeing all the negative feedback. It shows true entrepreneurial skills as well as hard work that some arrogant entrepreneurs don't put in anymore once they have moderate success (in startup terms).

I sympathize. But could you please explain how that email was "auto-generated"? I'm trying to give you the benefit of the doubt, I love what dropbox does, I understand the need to protect yourself from people looking to abuse the service, but... come on... was it really autogenerated? I think that is the part that has everyone scratching their heads.

I think they only ever planned to manually remove user's files in the event of receiving a DMCA takedown notice. So they implemented an automatic notification stating that.

Or maybe it was a default option, one of several, and it wasn't changed to something more appropriate.

Honestly, the title is very sensasionalistic.

It tries to make it sound like you tried to enforce patents on a Dropbox clone or something, while the truth is that the software was a parasitic service incapable of existing without Dropbox itself.

To me that last part makes irrelevant that the software was OSS or not.

Any news on fixing the exploit? Is the option being considered by dropbox?

> we've fixed the deduplication behavior serverside to prevent "injection" of files you don't actually have, for a variety of reasons.)

Already done.

Doesn't seem to be done, as I just used the code in question to get the example trailer and I did not have the file in advance.

This is one of the more interesting comments in this thread. Can anyone confirm it still works?

EDIT: I get the following error:

[xxx@xxx laanwj-dropship-464e1c4]$ ./dropship examples/sintel_trailer-1080p.mp4.json ('Oops, blocks are not known: %s', ['lykR7INbdxXNk04IpJUxTvO97GeETwAbobol2283eqY', 'ciZ4YYqkiA9VssSpfmcagRJaYMtD3wNqZ4NTeV9BvOc', '7qe_U9KLL8t1RRH3K01PdTxnEGCnm1nP8S30ZkXK0KI', 'cPJPJ_uch8hJFhKaEeXufETDZ-q6Fqz1cibxoYwL8G8'])

It calls your bluff now :)

I would like you to answer a simple question because after reading Arash and your responses I have doubts about using Dropbox.

Since you fixed the problem server side, why did Dropbox feel it necessary to then attempt to stamp out the no longer functional tool? Would you remove the ability for people to download DeCSS from my public folder due to potential harm? Would you remove the ability for people to download penetration testing tools from my public folder due to potential harm? Would you remove the ability for people to download disassemblers from my public folder due to the potential harm?

The code could be an interesting technical exercise and the censorship you are being accused of arises from this pointless action. That is what people are questioning. Where does that rabbit hole end?

At the time they requested the removal of the tool, they hadn't yet fixed the problem server side. I don't think it's egregious to request that the tool be taken down while they worked on fixing the problem. Much like how security exploits aren't just immediately published without notifying the company so they have a chance to fix it.

Regardless, I can completely understand the actions of staying away from Rapidshare (read the full comment for a day pass of $5, or wait 30 seconds).

However, pissing off the constituency that originally promoted your service isn't exactly #1 in your marketing plan. I'm not well known, but many who reside here are. Scaring off hackers just seems wrong, being Hacker News and all.

i can promise you we're not trying to piss off the HN audience, but sometimes we manage to anyway :)

Just a quick thing to point out. The rabbit is out of the hat (or whatever is the correct proverb for it). As with all technologies seen in years past, don't fight it on "legal" terms, and I don't mean legal as in suing the crap out of them (the Sony method), I also mean pleading to the community (the Valve method).

In reality if Dropship is illegally accessing a person's private files without "sharing" or making it public, fix that. The approach is quite novel in that you can create a one-off dropbox account, make it private, and claim someone "hacked" into your account to acquire it as it would appear Dropship's methods cannot be proven different than a hacking attempt, which means the uploader is not "responsible".

However to counter people's points, dropbox has no choice but to demand that any copyright violation even in private files is forbidden, otherwise they are hit with DMCA, the US laws give them zero wiggle room here.

Dropship is a nifty loophole in the DMCA rules allowing dropbox to become the legal rapidshare in the US, probably involuntarily and taking on legal risk they don't want in any way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact